Help! How can I have multiple Postfix SSL Certifcates?

[ChojinDSL]

I've searched the net and gone through all sorts of howtos, but I have yet to find a solution.

Here's the situation. The Company that I work for has gentoo mail server which I installed. The server has multiple IPs and I setup the mail server using postfix with MySQL and Postfixadmin.

My Problem is this. We host several Domains for our clients on that server. However, I can only setup a SSL Certificate for the "main" domain. This of course leads to the problem that anyone who tries to fetch their mail via an SSL connection from a Domain other than the "main" one, constantly has to click "OK" when the mail client asks if you wish to proceed, since the Domain name doesnt match with the certificate.

Here's an example:

Our Main domain is:

mail.main.com

Our clients, for example have:

mail.client1.de
mail.client2.net
mail.client3.com

Our DNS records for these Domains all point to mail.main.com. So if you would ping mail.client1.de you would get the same results and ip address as if you would ping "mail.main.com".

According to pretty much every howto I've found on the net. I can only issue one SSL Certificate for the main domain.

So basically if Client1 tries fetch der mail, they constantly get that message which requires them to click OK in order to proceed with fetching their mail.


The simples fix that comes to mind would be the following:

Simply have all our clients configure their mail software to connect to "mail.main.com". This is something we want to avoid for 2 reasons.
First of all, it would be a pain in the ass to have to walk all of our clients through the procedure of reconfiguring their clients.
Second of all, we want to keep everything in this "mail.client#.com" format, since this means that if we decided to migrate a clients domain to a different server in the future, they dont have to re-configure their software.


I think I recall reading or hearing somewhere that you can use multiple IP addresses to get around this problem with the certificates. But Im not certain. Either way, we do have multiple IP addresses available for the same server, we just dont use them.


Does anyone know a solution, or can possibly point me to some tutorials that can help me solve this problem?

[overkll]

AFAIK, the only way to have multiple postfix server ssl/tls certs is to run seperate instances of postfix for each client domain/server certificate. You'd need a seperate postfix main.cf and rc script for each instance, not to mention creating/managing a server certificate for each customer. In the long run, its a solution that would need much more maintenance and system resources. One would still need to configure pop/imap for separate certificates. Seems like a hassle just to get rid of the need to click "OK" to proceed.

If it were me, I'd use a wildcard certificate like "*main.com" or "*mail.main.com" and change the customer/client host names to "customer.main.com" or "customer.mail.main.com". The wildcard cert would work any host name as long as the domain matches. That way, I'd only need one postfix instance/conf file and one certificate, yet I could still maintain a separate customer host name in DNS if I wanted to move them to a dedicated server.

This solution would still require changing the customer's client configuration, but it avoids the complexities of multiple postfix instances and multiple certificate management.